As more and more computers and other computing devices are interconnected through various networks, such as the Internet, computer security has become increasingly more important, particularly from invasions or attacks delivered over a network or over an information stream. As those skilled in the art will recognize, these attacks come in many different forms, including, but certainly not limited to, computer viruses, computer worms, system component replacements, denial of service attacks, even misuse/abuse of legitimate computer system features—all of which exploit one or more computer system vulnerabilities for illegitimate purposes. While those skilled in the art will realize that the various computer attacks are technically distinct from one another, for purposes of the present invention and for simplicity in description, all malicious computer programs will be generally referred to hereinafter as computer malware, or more simply, malware.
When a computer is attacked or “infected” by computer malware, the adverse results are varied, including disabling system devices; erasing or corrupting firmware, applications, or data files; transmitting potentially sensitive data to another location on the network; shutting down the computer; or causing the computer to crash. Yet another pernicious aspect of many, though not all, computer malware is that an infected computer is used to infect other systems.
FIG. 1 is a pictorial diagram illustrating an exemplary networked environment 100 over which a computer malware is commonly distributed. As shown in FIG. 1, the typical exemplary networked environment 100 includes a plurality of computers 102-108 all interconnected via a communication network 110, such as an intranet or via a larger communication network including the global TCP/IP network commonly referred to as the Internet. For whatever reason, a malicious party on a computer connected to the network 110, such as computer 102, develops a computer malware 112 and releases it on the network. The released computer malware 112 is received by, and infects, one or more computers, such as computer 104, as indicated by arrow 114. As is typical with many computer malware, once infected, computer 104 is used to infect other computers, such as computer 106, as indicated by arrow 116, which in turn infects yet other computers, such as computer 108, as indicated by arrow 118. It should be appreciated that the malware 112 may be directed to any one of the computers 104-108 as a result of a request initiated by the computer 102. Clearly, due to the speed and reach of the modern computer networks, a computer malware 112 can “grow” at an exponential rate, and quickly become a local epidemic that quickly escalates into a global computer pandemic.
A traditional defense against computer malware and, particularly, computer viruses and worms, is antivirus software. As is known to those skilled in the art and others, antivirus software typically scans data that is transmitted to a computer, searching for identifiable patterns referred to as signatures that are associated with known malware. If a malware signature is identified, the antivirus software takes appropriate action, such as deleting the malware/infected file or removing the malware from an infected file. In this manner, antivirus software may be able to prevent malware from infecting a computer. However, in some instances, users do not maintain antivirus software by regularly obtaining software updates that have the most recent malware signatures. In this instance, a computer may be vulnerable to a malware, even though an “up-to-date” antivirus software would be able to detect the malware.
Another defense that is common today in protecting against computer malware is a network firewall. As those skilled in the art and others will recognize, a firewall is a security system that protects an internal network from unauthorized access originating from external networks by controlling the flow of information between the internal network and the external networks. All communication originating outside of the internal network is sent through a computer that examines the communication and determines whether it is safe or permissible to forward the communication to the intended target.
The malware detection ability of a firewall or similar protection mechanism is limited by the manner in which data is transmitted over modern computer networks. For example, a client-based computer typically requests one or more files when obtaining data from a server-based computer. Those skilled in the art of computer networks will recognize that components of modern networks segment a file into smaller units (“packets”) in order to transmit the data file over a limited bandwidth network connection. The packets are transmitted over the network and reassembled when they arrive on the client-based computer. Thus, when file data is received at a network transit point, such as a gateway-type computer that protects an internal network, the data has been segmented into packets.
In the prior art, the packetization of data for transmission over a network limits the ability of a gateway-type computer to scan for malware. In some firewalls, all of the packets in a transmission are received and stored at the network transit point before being forwarded. Then, once all the packets have been received, a scan of the complete file is performed by antivirus software. Stated differently, instead of packets being immediately forwarded to the target computer when received at the network transit point, the packets are stored and scanned before being forwarded. As a result, in this instance, the end-user experiences an increase in latency, or delay, in the time required to receive the file. If, individual packets received at the network transit point were scanned for malware and immediately forwarded, thereby reducing or eliminating latency caused by the scan, the network transit point computer would not have a complete context to analyze a file and accurately determine whether the file contains malware.